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Distrib uted Client/Server Computer Network 

FIELD OF THE INVENTION 

The present invention relates to a distributed 
client/server computer network, and more particularly to a 
distributed client/server computer network which provides a 
client with controlled access, via a remote server, to a 
5 particular network resource such as an Internet web-site or 
service. 

BACKGROUND OF THE INVENTION 

A large number of distributed client/server computer 
networks are known wherein an appropriate authorisation code 
10 must be transmitted from a client to a remote server for the 
client to gain access, via the server, to a particular network 
resource. 

The vast majority of authorisation codes comprise a 
series of alphanumeric characters, a "password", which is 

15 entered by a user via a keyboard interface. 

However, a password is inherently difficult to 
remember, particularly if it used seldomly over a prolonged 
period of time, and is easily conveyed either verbally or 
visually to an unscrupulous third party who might use the 

2 0 password to gain unauthorised access to a network resource. 

Our European patent No. 0614559 discloses a personal 
identification device for providing controlled access to a 
computer system. The device comprises a store of identification 
codes and associated authorisation codes, access to the 

2 5 computer system being provided where an identification 
code/authorisation code combination, submitted by a user, 
matches a combination stored previously in a memory of the 
device. 

The device of European patent No. 0614559 overcomes the 
30 problems associated with the use of alphanumeric passwords by 
using, for each authorisation code, a respective series of 
complex images selected from a plurality of similar complex 
images. Such complex images may take a number of different 
forms, e.g. visual images, auditory images, etc., however 
35 digitised images of human faces have been found to be 
particularly suitable due to the innate ability of humans to 
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readily distinguish between faces which differ in appearance 
from one another in very subtle respects, but also due to the 
fact that such subtle differences in appearance are very 
difficult to convey verbally or otherwise from person to 
5 person. 

An object of the present invention is therefore to 
incorporate, in a particularly efficient and secure manner, a 
personal identification system of the type disclosed in 
European patent No. 0614559 into a distributed client/server 

10 computer network, to thereby provide a client with controlled 
access, via a remote server, to a particular network resource. 
SUMMARY OF THE INVENTION 

In accordance with the present invention, there is 
provided a distributed client/ server computer network wherein 

.5 the identity of at least one complex image, selected from a 
plurality of complex images stored by a client, is transmitted 
to a remote server which determines, from the identity of the 
or each image selected, whether the client is authorised to 
gain access, via the server, to a particular network resource. 

0 The authorisation procedure provided by such a network 

is clearly very efficient in that once the client has been 
provided with a store of complex images, subsequent access to 
the network resource requires only the identity of the or each 
selected image, rather than the image itself, to be 

5 communicated between the client and the server. Thus, the 
significant time delays associated with the transmission of 
complex images are avoided. 

Furthermore, the network is highly secure as no 
information is stored by the client which might be used to 

0 determine the image or images which must be selected to provide 
the client with access to the network resource. 

Preferably the plurality of images comprises at least 
one key image and at least one dummy image, access to the 
network resource being gained by the client by selecting the 

5 or each key image in preference to the or each dummy image. 
However, the order in which two or more images are selected may 
also or otherwise be used to determine whether the client is 
authorised to gain access to the network resource. 

Most preferably, the plurality of images are presented 



in successive, mutually-exclusive subsets, each subset 
containing a plurality of dummy images and a key image which 
must be selected in preference to the dummy images in its 
respective subset. 

5 Preferably the plurality of images are down-loaded from 

the server to the client. 

The image or images which must be selected may be 
chosen from a plurality of images stored by the server or may 
be chosen from the plurality of images stored by the client. 
10 In the former case, the or each chosen image is 

preferably a key image which is down-loaded from the server to 
the client together with a plurality of dummy images. The dummy 
images may comprise the remainder of the plurality of images 
from which the or each key image is chosen, a subset thereof 
15 or an alternative set of images to those from which the key 
image or images are chosen, but which images bear a resemblance 
to the key image or images. 

In the latter case, it will be appreciated that the 
identity of the or each chosen image must be transmitted from 
20 the client to the server. 

In either case, where two or more images are chosen, 
the order in which those images are chosen may determine the 
order in which the images must subsequently be selected. 

Also in accordance with the present invention, there is 
provided a method for providing a client of a distributed 
client/ server computer network with controlled access, via a 
remote server, to a particular network resource, said method 
comprising the steps of providing the client with a store of 
complex images, selecting at least one image from the stored 
images and transmitting the identity of the or each selected 
image to the server which determines, from the identity of the 
or each image selected, whether the client is authorised to 
gain access, via the server, to the network resource. 

Preferably the step of providing the client with a 
35 store of complex images comprises down-loading the images from 
the server to the client. 
BRIEF DESCRIPTION OF THE DRAWINGS 

An embodiment of the present invention will now be 
described by way of an example only and with reference to the 
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accompanying drawings, in which: 

Figure 1 is a schematic view of a distributed 
client/ server computer network in accordance with the present 
invention; and 

5 Figure 2 is drawing of a computer having a screen 

display from which complex images may be selected. 
DESCRIPTION OF THE PREFERRED EMBODIMENT 

Referring to Figure 1 of the drawings, a distributed 
client/server computer network is shown comprising a plurality 
10 of local computer systems 2, each of which communicates over 
a respective telephone line or other telecommunications link 
with a remote computer system 4, hereinafter referred to as a 
server, which is arranged to provide each of the local computer 
systems 2 with controlled access to one or more network 
15 resources 6, such as Internet sites and services. 

In the present context, any of the local computers 2, 
when in communication with the server, is termed a client. 

Also, whilst a network is shown comprising a plurality 
of independent local computer systems 2, a single server 4 and 
20 a plurality of resources 6 which are remote from the server 4, 
the local computer systems may instead be integrated into a 
local area network, the server may be that of an Internet 
access provider, itself in communication with a plurality of 
other servers, or a server with which that of the Internet 
25 access provider communicates, and one or more of the resources 
may be provided locally by the server. 

In the embodiment illustrated, where a client 2 is to 
be provided with controlled access to a particular network 
resource 6, the client 2 must first transmit to the server 4 
3 0 a chosen alphanumeric identification code and corresponding 
authorisation code, a record of the two codes being stored by 
the server 4 for subsequent verification of the client 2. 

The authorisation code comprises a coded reference to 
a sequence of four key images chosen from a display of thirty 
35 six complex images down-loaded to the client 2 from the server 
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Once an identification code and a corresponding 
authorisation code have been chosen, the client 2 may 
subsequently gain access to ("logon" to) the network resource 
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6 by re-transmitting the same combination of codes to the 
server 4 . 

Figure 2 shows one of a sequence of four displays in 
which a respective one of the four key images is displayed 
5 together with eight dummy images arranged in a 3x3 matrix 8. 
Each key image must be selected over the dummy images in its 
respective display for the client to be provided with access 
to the resource. 

The network thus described is clearly very efficient in 
10 that, once the client 2 has been provided with a store of 
complex images, subsequent access to a network resource 6 
requires only the identity of a selected image, rather than the 
image itself, to be communicated between the client 2 and the 
server 4. Thus, the significant time delays associated with the 
15 transmission of complex images are avoided. 

Furthermore, the network is highly secure as no 
information is stored by the client 2 which might be used to 
determine the image or images which must be selected to provide 
the client 2 with access to the network resource 6. 



